Bugbear, Klez Continue to Infect Networks

Two new viruses raise their ugly heads while two known culprits top November's virus charts.

Two new viruses raise their ugly heads while two known culprits top November's virus charts.

The Klez worm and the Bugbear virus were the heaviest hitters last month, with different antivirus organizations alternately giving each malicious coding top billing for November.

Panda Software, based in Glendale, Calif., reports that the "I" variant of the Klez worm topped the ranking of malicious code infecting users' systems. According to data collected by the company's antivirus software last month, Klez.I caused more than 20% of all recorded incidents.

But antivirus vendor Sophos Inc., with U.S. headquarters in Lynnfield, Mass., reports that its data shows the Bugbear virus accounted for nearly 30% of incidents.

Panda Software ranked the Bugbear virus second with nearly 11% of reported incidents, while Sophos ranked Klez third at 7.7%, behind the second-place Braid-A worm with 8.5%.

Graham Cluley, senior technology consultant at Sophos, says it's critical that corporate IT leaders keep their patches updated and stay on top of new outbreaks and ongoing attacks.

"It's important that all users ensure they are protected against Bugbear because it implants code that can log victims' keystrokes," says Cluley, who notes that Bugbear can spread via email or network shares. "This means hackers are getting a perfect view of everything you type, including passwords, bank account details and credit card numbers."

But as two known viruses continue to cause trouble, antivirus experts are turning an eye toward two new problems -- the Winevar worm and the CIH or Chernobyl virus.

The Winevar worm spreads via e-mail and drops a virus into the victims' system. It's considered to be a dangerous worm because it deletes the content of every directory in the affected computer, with the exception of active programs. Winevar activates when any of the attached files are run and automatically activates when the e-mail is viewed through Microsoft Outlook's Preview Pane, taking advantage of the Exploit/Frame vulnerability.

The CIH, or Chernobyl, virus was the first widespread virus to render hardware unusable. It's considered to be very destructive, so its recent resurgence -- some versions were originally activated on April 26, 1999, the 13th anniversary of the Chernobyl disaster -- has raised concern in the antivirus arena.

The Chernobyl virus infects executable files and is spread by executing an infected file. Since many files are executed during normal use of a computer, the CIH virus can infect many files quickly, according to the CERT Coordination Center.

There are several variants of this virus. Some activate every month on the 26th, while other variants only activate on April 26 or June 26. Some machines may require a new BIOS chip to recover.

There is a slight bright spot associated with Chernobyl. Infected computers are not able to boot up so they cannot infect others after the payload triggers.